2 Respuestas
- Más nuevo
- Más votos
- Más comentarios
1
L3 (IP) ingress control can be done outside of Kubernetes, via CIDR ranges in AWS security groups, or inside of Kubernetes via NetworkPolicy resources.
Since you are using one Ingress and one ALB, a security group on the ALB is not ideal, as it will impact all targets. Your options are:
- Create another Ingress/ALB and move app3 to that configuration, then restrict source IPs via the ALB security group
- Add Network Policies to your Kubernetes cluster, and create a Network Policy for the Pods fronted by the app3 Service. The user experience should be the same.
- You could also look into Security Groups for Pods. However, for simple L3 ingress control, I would recommend either ALB security groups or Kubernetes Network Policies.
Network Policies can be added to Amazon EKS, depending on the CNI you are using. For the AWS VPC CNI, you could use the Calico project. There are also alternative CNIs for Amazon EKS.
respondido hace un año
Contenido relevante
- OFICIAL DE AWSActualizada hace 3 meses
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace un año
- OFICIAL DE AWSActualizada hace 2 años